At present, legislative obligations rest with data controllers who are responsible for the actions of their data processors. Under the GDPR both data controllers and data processors can be responsible for data protection compliance. This means not only the owners of personal data will be responsible for meeting the requirements of the GDPR, but those holding or using that data (such as external marketing or IT suppliers) will also have new responsibilities.
One of the key principles for processing data is that the procedure must be fair and lawful. The bases on which data is processed are a key area of reform. The current rules are often interpreted too widely by data controllers.
One basis for fair and lawful processing is gaining the individual’s consent. Practice has arisen in many industries whereby consent is implied by the actions or inactions of the data subject. Under the GDPR this practice will no longer be accepted. Consent must be freely-given, specific, informed and unambiguous
Organisations will be obliged under the GDPR to adopt an approach that promotes privacy and data protection compliance from the outset. All businesses in high risk situations should consider carrying out Data Protection Privacy Impact Assessments.
The GDPR introduces stronger enforcement action where there is a breach of the data protection rules, including fines of up to 4% of an organisation’s turnover. Enforcement action will be unified across the EU with each national supervisory authority authorised to take action.
The rights of individuals in relation to their personal data have been enhanced under the GDPR. This impacts on the information which should be included in privacy policies and procedures and the way in which data subject access requests from individuals should be handled.
A properly equipped Data Protection Officer (DPO) can prove invaluable to an organisation dealing with vast amounts of data. The GDPR requires certain organisations to appoint a DPO to oversee compliance with data protection due to their size or business operations. This is a new requirement for those dealing with personal data in the UK although other EU Member States already require some organisations to have a DPO in place.
The GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and the GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.
Here at MacRoberts, we have extensive knowledge and experience in dealing with compliance and regulatory matters. We can help you with the assistance you need to take proactive measures in ensuring compliance to stop you falling foul of any relevant laws and regulations.
Our Compliance and Regulatory team, headed by Partners David Flint, David Gourlay and Val Surgenor, has an impressive reputation in the legal and commercial markets and take the time to understand your business, your drivers and your risks, tailoring the advice we provide around you.
We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.